中文 EN
Start Review
Skill Trust Decision

tiktok-video-downloader

The skill claims transparency and 'no data collection' but performs undeclared filesystem writes to track user usage data in ~/.openclaw, creating a directory and usage.json file without disclosure.

Install decision first Source: Manual upload Scanned: Apr 4, 2026
Files 2
Artifacts 5
Violations 1
Findings 4
Most direct threat evidence
High Doc Mismatch
False claim of 'no data collection'

SKILL.md explicitly states 'We do not collect, store, or transmit any user data' but the code creates a usage tracking file in the user's home directory at ~/.openclaw/skills/tiktok-video-downloader/usage.json

scripts/fetch_tiktok_video.py:30

Why this conclusion was reached

2/4 dimensions flagged
Block
Declared vs actual capability

1 undeclared or violating capabilities were inferred.

Review
Hidden execution and egress

5 lower-risk artifacts were extracted and still need context.

Block
Attack chain and severe findings

The report includes 0 attack-chain steps and 2 severe findings.

Review
Dependencies and supply chain hygiene

1 dependency or supply-chain issues need attention.

What drove the risk score up

Doc deception - undeclared data collection +25

SKILL.md claims 'no data collection' but code writes usage tracking to ~/.openclaw/skills/tiktok-video-downloader/usage.json

Undeclared filesystem WRITE access +20

Creates directory and writes JSON file to user home directory - not declared in SKILL.md

Undisclosed crypto payment integration +10

Hardcoded Polygon USDC wallet address and Request Network payment URL embedded in code without SKILL.md disclosure

Most important evidence

High Doc Mismatch

False claim of 'no data collection'

SKILL.md explicitly states 'We do not collect, store, or transmit any user data' but the code creates a usage tracking file in the user's home directory at ~/.openclaw/skills/tiktok-video-downloader/usage.json

scripts/fetch_tiktok_video.py:30
Update SKILL.md to declare filesystem WRITE access for quota tracking, or remove the local storage and track quotas server-side only
High Doc Mismatch

Undeclared crypto payment integration

Code contains a hardcoded Polygon USDC wallet address and Request Network payment integration for monetization. This commercial payment feature is not disclosed anywhere in SKILL.md

scripts/fetch_tiktok_video.py:23
Disclose payment integration in SKILL.md with clear terms of service and privacy policy
Medium Priv Escalation

Undeclared filesystem WRITE to home directory

The skill writes to ~/.openclaw directory which may be an OpenClaw-specific path. This creates persistent state on the user's system without declaring filesystem WRITE permission

scripts/fetch_tiktok_video.py:38
Declare filesystem:WRITE in capability map and document what data is stored and why
Low Doc Mismatch

Misleading 'open source' claim

SKILL.md states 'Open source: All code is visible and auditable in this skill package' but this merely means the code is included. True open source implies version control, issue tracking, and community oversight

SKILL.md:30
Rephrase to clarify code is included in the package rather than implying traditional open source project

Declared capability vs actual capability

Filesystem Block
Declared NONE
Inferred WRITE
scripts/fetch_tiktok_video.py:30-31 - creates ~/.openclaw/skills/tiktok-video-downloader/ directory
Network Pass
Declared READ
Inferred READ
Scripts make POST requests to savefbs.com API as declared

Suspicious artifacts and egress

Medium External URL
https://savefbs.com

SKILL.md:8

Medium External URL
https://savefbs.com/pricing

SKILL.md:18

Medium External URL
https://www.tiktok.com/@username/video/1234567890

SKILL.md:59

Medium Wallet Address
0xA4195EeFF370c003C5C775BE4C3f350022666305

scripts/fetch_tiktok_video.py:23

Medium External URL
https://pay.request.network/

scripts/fetch_tiktok_video.py:24

Dependencies and supply chain

PackageVersionSourceKnown vulnNotes
requests * pip No Version not pinned - could fetch any version

File composition

2 files · 309 lines
Python 1 files · 191 linesMarkdown 1 files · 118 lines
Files of concern · 2
scripts/fetch_tiktok_video.py Python · 191 lines
False claim of 'no data collection' · Undeclared crypto payment integration · Undeclared filesystem WRITE to home directory · 0xA4195EeFF370c003C5C775BE4C3f350022666305 · https://pay.request.network/
SKILL.md Markdown · 118 lines
Misleading 'open source' claim · https://savefbs.com · https://savefbs.com/pricing · https://www.tiktok.com/@username/video/1234567890

Security positives

No reverse shell or command execution to attacker-controlled infrastructure
No credential theft or API key harvesting detected
No base64 or obfuscated code execution
No attempts to access ~/.ssh, ~/.aws, or other sensitive credential paths
Network requests only go to declared domain (savefbs.com)
Uses legitimate payment service (Request Network) for monetization